Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 19:45
Static task
static1
Behavioral task
behavioral1
Sample
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
Resource
win10v2004-20241007-en
General
-
Target
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
-
Size
4.1MB
-
MD5
b93004c132f8750522b7ef4097c3ca47
-
SHA1
c97e9f8203ce5dc89db93e734fea64dd8330e81b
-
SHA256
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222
-
SHA512
8bdc2c4bc22243b578e0f06538f7acadfeee2fc6aff998b2b694866ce614459df28dd666e5161c6a5dee5884b119bbe4c8b4afab772c63a968d12454c5c03bab
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevbod.exedevdobloc.exepid Process 4072 sysdevbod.exe 3920 devdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ9\\devdobloc.exe" 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXL\\dobdevloc.exe" 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exesysdevbod.exedevdobloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exesysdevbod.exedevdobloc.exepid Process 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe 4072 sysdevbod.exe 4072 sysdevbod.exe 3920 devdobloc.exe 3920 devdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exedescription pid Process procid_target PID 1180 wrote to memory of 4072 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 88 PID 1180 wrote to memory of 4072 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 88 PID 1180 wrote to memory of 4072 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 88 PID 1180 wrote to memory of 3920 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 91 PID 1180 wrote to memory of 3920 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 91 PID 1180 wrote to memory of 3920 1180 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe"C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4072
-
-
C:\SysDrvZ9\devdobloc.exeC:\SysDrvZ9\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5e3d42ce709ba30e8ec12030e77dd2759
SHA1b49dd3f2b896e1e742c3215f6ca5bd081913102d
SHA25672a9f3126038b3cafbb53fe7167ce7555856030c39f0193567d04be7d235c42a
SHA5129d20edda519a734ea35d4244d5d40e9c0517686aa12551cc1978d15d40eeed8c754253c09b8c1ebb0b57b2510c5d37fc84796090215546410df07fce1f73cf69
-
Filesize
1.4MB
MD5ccede89232f164881cdeb3c62ae98f4f
SHA167cb5ebee01c039808a0862b8eae4433f60fa76e
SHA2561da05bdbbd22d72749402d4414cfb3a31e1cb025b3168ff580643b7df8480c4a
SHA512824afaa624648e73e5eee695b0ce0156608a7920c519e55b198b3b35a679501767c74069926fdbd36cfeb750aa7e2ee34258964f0ec75d367714e5bf3bffc295
-
Filesize
4.1MB
MD52a2d4c56dc545dbd1235b3de74df0308
SHA1128049efa25c4d5ec038092f742c4c7928f79a9e
SHA256d4f9becd8d59ab06b887e2f66fe383b9418b6d804602e3d0cd51c5ab5d44f738
SHA512223ce0eb356eda1022671cc81fe7c1a6ce71746eac696f1924bf08d01d3c89be3f6a60bdfe4ad6202d02fb192acaa4622cc088749a3ab7f9c6b81b8b094d2c46
-
Filesize
207B
MD5c8d522c77f5ddef15b8f2db4a0d8423b
SHA1e4a85cb23a6fbb77d4f758a2603e61ebf9cbbd6f
SHA256ec0ce132a83cdaf3c19836af63c1b5553374d19d4f5b066552cf16962b39523d
SHA512efc37cf4685b40a7c3c60b88fd448ad2a915997afb8fcc35167e90aa3aa447f0acf6e43fe135f1eed6203d2d865812d979bfd2867bf6a3cbec8b198a8d9fda17
-
Filesize
175B
MD5854c232a225269e045136916e2759f2a
SHA1564348ad6adce6180bda0ec75a03a87556a3cd6f
SHA256f6d944c370540b226e5881c645fb3bb8426f423859a6fa3599a4c374890a3e4d
SHA512fc280dfb61ef4cdb6c7250bc52d3554656ff4c2b8bb8a26218eed7591ba91dfd372a0c63dd6321b22a7cf466002478c7ffc18acc426595ad6c45eddb10d28076
-
Filesize
4.1MB
MD598aefb490082e8457012126b9c0035ae
SHA18cc8f9fcb9726de516c3afc8a4d32f320b059e26
SHA2562b81eb5ec73557f5ea7ebebeb92ca9083da50c6dc2dd2d6edc0cb04ae3d9da98
SHA51281307fddbe216d08744bf42649de0b07420e8fbe57f0f6f72d62d1f590a0d838ea562c50f3d3ed005c94fb87cb2f506880cb1c6d8ac2bd3d9a8c7c7eb141f846